The Sony hack is beginning to leave its mark on lawmakers in Washington, DC. Right before leaving for their winter vacation, politicians touted cybersecurity bills as the silver bullet to stopping future Sony-like hacks. The specific cybersecurity bills don't focus on advancing research and development, but on the sharing of computer threat information between the public and private sector. What these lawmakers neglect to tell the public is that the bills wouldn't have solved the Sony hack and that companies can already share information concerning computer threats.
Information Sharing would not Have Stopped the Sony Attack
New cybersecurity legislation isn't needed and it wouldn't have stopped the Sony hack. Instead of proposing unnecessary privacy-invasive bills, we should be collectively tackling the low-hanging fruit. This includes encouraging companies to use the current information sharing regimes immediately after discovering a threat.
It also includes two other solutions. First, companies must persistently educate end users since it's well known that many security breaches are due to uneducated employees downloading malware. The second is to follow basic security precautions. The New York Times recently reported that the hackers at JP Morgan obtained inside access due to an un-updated server. Sony hasn't released how the breach originally occurred, but new reports on the Sony hack are increasingly pointing to an inside job.
Companies Can Already Share Information
The most prominent proposals mentioned range from Senator McCain's SECURE IT to Senator Feinstein's Cybersecurity Information Sharing Act (CISA). The bills—which are identical to the infamous CISPA—provide private companies new authorities to spy on users and broad legal immunity to share the information obtained with the government. Neither are needed to share computer security information as companies can already obtain the information and share it with other private companies and with the government.
Sharing between private companies routinely happens through Information Sharing and Analysis Centers (ISACs), public reports, and private communications, but needs to happen faster and in greater quantities. In the past, companies were afraid to share such information with other businesses due to antitrust concerns; however in 2012, the FTC and DOJ noted they would not prosecute companies for sharing such information. In fact, they encouraged companies to share computer security threat information like malware signatures and attack vectors.
Secondly, companies can already share the information with the government. In 2012, President Obama created the Enhanced Cybersecurity Services. It directed DHS to create an information sharing hub, collect private sector information from companies, and then spread that information throughout the public and private sectors. The hub would also inform private sector partners about threats discovered by the government. The program has more privacy protections than any legislation we've seen from Congress in the past four years and should be used more by companies.
Congress Should Say No to Privacy-Invasive Information Sharing Bills
As the Sony Hack continues to make news, we need to remember that the information sharing cybersecurity bills would not have stopped the Sony hack and that Congress has already passed reasonable cybersecurity bills. Information sharing bills like CISPA, SECURE IT, CISA, and the Cybersecurity Act of 2012 should all be shelved. They replicate information sharing already being done by DHS, but with little to no privacy protections. Lawmakers should be encouraging the use of DHS's information sharing hub instead of proposing redundant regimes.